3 October 2023
On 10 July 2023, the European Commission (“EC”) reached an “adequacy decision” under the European Union (“EU”) General Data Protection Regulation (“EU GDPR”), approving transfers of personal data to organisations located in the United States (“U.S.”) that are certified under the newly-established Trans- Atlantic Data Privacy Framework (“DPF”) agreed between the U.S. and the EU. On 12 October 2023, an equivalent decision, in respect of the same DPF, takes effect for the purposes of the UK General Data Protection Regulation. The UK Government prefers to refer to the DPF as a “data bridge”.
These long-awaited decisions replace the EU-U.S. “Privacy Shield”, which was invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems 2 case in 2020 (see our article on Schrems 2). Although the adequacy decisions are likely also to be challenged before the CJEU and the UK courts, for the time being they dispel the considerable uncertainty around transfers of personal data regulated by the US and UK General Data Protection Regulations to the U.S. that arose following Schrems 2. They should greatly simplify the risk analysis associated with these transfers, even where they are made to U.S. recipients which do not participate in the DPF. Businesses will need to review their compliance strategies to explore taking advantage of the opportunities presented by the DPF and the adequacy decisions.